The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015
Contents 1. Definitions 2. Data Security Breach Management 3. What an organisation should do in the event of a data breach checklist 4. Practical implications of a breach for the business 5. Preparing for the future
Definitions
Definitions Definitions Personal data is defined by Directive 95/46/EC in Article 2(a) as any information relating to an identified or identifiable natural person ( data subject ). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. Personal data breach is defined by Directive 2002/58/EC in Article 2(i) as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the Community.
Definitions A personal data breach covers more than just the simple misappropriation of data and may include:! Theft Loss or theft of data or equipment or media Attacks Deliberate attack on systems Malicious acts such as hacking, viruses or deception (which relates to the unlawful obtaining of personal data, more frequently referred to as "blagging").!! Loss of data Equipment failure Acts of God (for example, fire or flood), Logical breach People gaining inappropriate access Human error!
Liability for a data security
Liability for a data security Data controllers are liable for data security - A data controller is responsible for ensuring appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access. - This liability remains with the data controller regardless of whether: - the data controller engages a third party data processor (e.g. an IT service provider). - the data controller uses common software or systems (e.g. commonly available cloud services) for processing personal data. - new security threats arises.
Liability for a data security Data controllers are liable for data security Appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access. Executive Order no. 528 of 15 June 2000 on security measure for the protection of personal data processed within the public sector (analogous) Authorisation andccaccess control In-going and out-going data External lines of communication Logging General recognised practices within the IT industry Requirements established through the cases, practice and guidelines published by the Danish Data Protection Agency and other national agencies. Working papers and opinions published by the Article 29 Group European Network and Information Security Agency
Liability for a data security Data Security Breach Management An organisation should have both a strong internal data protection policy as well as a data breach response plan (see checklist) in place to respond to a data breach swiftly and effectively. The data protection policy aims to lower the possibility for a personal data breach. However, even the most sophisticated data protection policy is not invulnerable. Therefore a data breach response plan should be produced and followed. To manage a breach of security, an organisation should: adopt a recovery plan, including damage limitation; carry out an assessment of any ongoing risks associated with the breach; consider whether a breach of security should be notified, who should be notified and what information should be given, including specific advice to individuals on the steps they can take to protect themselves, and evaluate the cause of a breach and the effectiveness of its response to it.
Checklist: What an organisation should do in the event of a data breach
Checklist: What an organisation should do in the event of a data breach Checklist Investigate Facts Determine the identity of the data controller(s) Check the contract Audit of security appropriateness and need to make improvements 1 2 3 4 5 6 7 8 Assemble Security Breach Team, contact the data privacy officer or contact legal counsel, whichever is applicable Stop or mitigate the breach Consider who needs to be notified Disciplinary action
Checklist: What an organisation should do in the event of a data breach 1. Assemble Security Breach Team, contact the data privacy officer or contact legal counsel, whichever is applicable Data controllers should put in place a Security Breach Team to deal with personal data security breach incidents. The team should have a clear plan to follow and be trained in advance to deal with personal data breaches quickly and effectively, limiting the damage of the breach as much as possible. The membership of the Security Breach Team will depend on the organisation but should include at least one senior officer, and individuals from areas such as Human Resources, Personal Representation, IT, security (IT and physical) and legal and compliance officers with appropriate seniority should also sit within the SB Team. All members need to be clear about who is taking ultimate responsibility.
Checklist: What an organisation should do in the event of a data breach 2. Investigate Facts The data security breach should be investigated to determine: The nature and cause of the breach. The extent of the damage or harm that results or could result from the breach. 3. Stop or mitigate the breach Take action to stop the data security breach from continuing or recurring and mitigate the harm that may continue to result from the breach. 4. Determine the identity of the data controller(s) The data controller is the party that determines the purpose for, and manner in which personal data is processed. This may not always be obvious and there may be more than one data controller.
Checklist: What an organisation should do in the event of a data breach 5. Consider who needs to be notified The competent national authority (The Danish Data Protection Agency): Directive 2002/58/EC (and the proposed European data protection regulation) require personal data breaches to be notified by providers of electronic communication services to the competent national authority. The details of the information to provide are available in Annex I of Regulation 611/2013. Other Data Controllers: if there are other data controllers of the personal data in question, you may want to notify them. Data Processors: it is not a mandatory requirement to notify the data processor. However, if it is uncertain who is responsible for the personal data breach or the data controller suspects or knows the data processor is responsible (e.g. the Nets case), they should be notified. Insurers: notification of potential claims may be an insurance policy requirement.
Checklist: What an organisation should do in the event of a data breach 5. Consider who needs to be notified Data Subjects: Where the personal data breach is likely to adversely affect the personal data or privacy of a data subject, the data controller should notify the data subject of the breach without undue delay. Data controllers should consider whether the data subject will benefit from knowing about the data security breach, involving their personal data, for example, by being able to change passwords or bank accounts to help prevent potential fraudulent use of the data.
Checklist: What an organisation should do in the event of a data breach 5. Consider who needs to be notified Data Subjects (cont d): There is an exemption on the notification requirement to data subjects if the data has been rendered unintelligible if the data controller can demonstrate to the competent authority that it has implemented appropriate technological protection measures to render the data unintelligible to any person who is not authorised to access it, then notification of personal data breach to the data subject shall not be required. For example, a confidentiality breach on personal data that were encrypted with a state of the art algorithm is still a personal data breach, and has to be notified to the authority BUT if the confidentiality of the key is intact, the data are in principle unintelligible to any person who is not authorised, thus the breach is unlikely to adversely affect the data subject and therefore doesn t need to be notified to the data subject
Checklist: What an organisation should do in the event of a data breach 6. Check the Contract Establish who is contractually responsible for the data breach i.e. either the data controller or the data processor, and check the contract between the data controller and data processor to see what it prescribes. For example: Does the breach give rise to a right to claim damages? If so, is the value of the claim limited by the contractual limit of liability? Many contracts carve out claims for loss of data and damage to reputation from the limitation and exclusions of liability provisions. Does confidentiality obligations restrict the data controller from publically referring to the data processor s responsibility for the data breach? Does the breach give rise to a right to terminate the contract? In many contracts the breach of data security clauses will give rise to an express right to terminate. Following the resolution of the breach, the data controller should also review the contract to see whether the provisions were sufficient to deal with such a personal data breach.
Checklist: What an organisation should do in the event of a data breach 7. Disciplinary action Data controllers will need to review the actions of employees who cause data security breaches and decide whether disciplinary action is appropriate. 8. Audit of security appropriateness and need to make improvements An investigation should take place and include a review of whether appropriate security policies and procedures were in place and if so, whether they were followed. Where security is found not to be appropriate for the purpose of the data protection, consider what action needs to be taken to raise data protection and security compliance standards to those required. If the Commissioner from the competent national authority becomes involved in a data security breach, he is likely to request this information.
Practical implications of a breach for the business
Practical implications of a breach for the business Implications for the organisation The results for the organisation will also vary with the type of breach. Any of the following may apply: National regulators are commonly granted fairly wide powers of investigation and inspection as well as powers of intervention, for example, the right to order a data controller to cease infringing behaviour or impose fines. The data subject also has a right to claim compensation from a data controller where damage has been suffered as a result of unlawful processing of personal data (Article 23(1), Data Protection Directive). Some countries have also adopted criminal sanctions, including custodial sanctions, for particularly severe breaches of the data protection principles. Aside from legal sanctions, non-compliance can result in damaging adverse publicity.
Practical implications of a breach for the business Improving data protection Data policy: are employees trained to understand the data protection policy of the organisation? Data security measures will be ineffective if the firm do not design and maintain suitable data policy. For example: Training for employees: employees and anyone else who interacts with the data, such as consultants, should receive adequate data protection and data security training. For example, this should involve training in what they need to do to keep personal data secure and whom they are permitted to disclose personal data to. Access rights: the data controller should ensure that only those people who require access to the data are the ones who are allowed to access the data and that the data is only processed to the extent strictly required. Encryption: personal data can be stored and transmitted using one of a variety of different commercial encryption techniques. This ensures that if there is a confidentiality breach, such as a data leak, then the data is rendered useless.
Practical implications of a breach for the business Improving data protection Data policy (cont d): Privacy by design: this is a consideration of the privacy requirements before the development of any new system or process and maintaining privacy as a fundamental part of the system throughout the life cycle of the system or process. Data retention policy: data should be stored appropriately using approved and audited systems. Furthermore, data should be kept no longer than is necessary for the purposes for which it was collected and periodically destroyed. Privacy Impact Assessment (PIA): this is a process which helps organisations to identify and reduce the privacy risks of a project and comply with data protection obligations. It enables an organisation to systematically and thoroughly analyse the data protection issues from the beginning of a project.
Practical implications of a breach for the business Improving data protection Effectiveness of the response: were there any problems with the recovery plan? The data controller needs to objectively assess the success of the recovery plan to see if and how it can be improved. Review the contract between the data controller and the data processor: are the data security obligations in the contract appropriate for the purposes of dealing with such a personal data breach?
Preparing for the future
Preparing for the future New Data Protection Regulation The Commission have proposed a reform of data protection in the form of a General Data Protection Regulation. Although this has been significantly delayed, the following is a list of issues relating to personal data breaches that look likely to occur, to a greater or lesser extent: Fines and enforcement: fines of up to 5% of global annual turnover proposed Territorial reach: controllers and processors that process personal data in the context of the activities of an establishment in the EU will be subject to the Regulation. This will vastly extend the reach of EU data protection legislation. Security: processors as well as controllers should be directly liable for implementing appropriate technical and organisational security measures, having regard to the state of the art and the cost. Breach notification: data breaches should be notified to the regulator within a very short amount of time (the Commission has proposed within 24 hours, while the European Parliament has proposed notification without undue delay and within a target of 72 hours)
Preparing for the future Draft General Data Protection Regulation Processor liability: where previously obligations under EU data protection have applied to data controllers only, processors for the first time will be subject to a number of obligations and restrictions, and exposed to fines and other regulatory action. Negotiating and future proofing contracts between controllers and processors will be very important in the near future. Privacy by design: obligations ensuring that privacy and data protection will be integrated into the design of Information and Communication Technologies. Privacy impact assessment: this would make privacy impact assessments mandatory when organisations are thinking of engaging in personal data processing.